Binding Corporate Rules − Controller Policy

INTRODUCTION

This Binding Corporate Rules Controller Policy and its Appendices (together the “Policy”) set out the approach taken by Avature Group (as defined below) in respect of the protection and management of personal data by the Avature Group members adhered to this Policy in the context of the processing of said personal data either for their own purposes or as a processor on behalf of another Group Member.

The Avature group of companies (“Avature Group”) is a corporate organization operating in several countries. The Avature Group has over 1400 professionals dedicated to bringing new technology, new ideas and new solutions to customers’ challenges. In particular, the Avature Group provides cutting-edge talent acquisition and talent management software solutions that fit customers’ specific needs, accommodates to their particular transformation objectives, and deliver a competitive advantage when deployed within each customers’ organization.

In addition to other definitions provided under this Policy, the following further terms shall have the meanings ascribed to them:

“Applicable Local Law” means any national / local data protection law (including, as the case may be, European data protection law) applicable to the pertinent Group Member.

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“Europe” means the countries in the European Economic Area (“EEA”);

“European data protection law” means the GDPR and any data protection law of a European Member State, including local legislation implementing the requirements of the GDPR, such as subordinate legislation, in each case as amended from time to time;

“Exporting Entity” means a Group Member, acting as controller or processor, established in Europe, or otherwise subject to European data protection law, who transfers, or otherwise makes available, personal data to an Importing Entity under this Policy;

“GDPR” means European Union (EU) Regulation 2016/679 (the General Data Protection Regulation);

“Group Member” means the Avature Group members adhered to this Policy;

“Importing Entity” means a Group Member, acting as controller or processor, established outside Europe who receives personal data from an Exporting Entity;

“Liable BCR Member” means Avature Spain, S.L.U.;

“personal data” means any information relating to an identified or identifiable natural person (referred to as a “data subject” in this Policy). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“special categories of personal data”, “sensitive data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; and

“supervisory authority” or “competent supervisory authority” means an independent public authority related to an Exporting Entity established in a European jurisdiction which is responsible for monitoring the application of European data protection law in order to protect the fundamental rights and freedoms of natural persons in relation to processing.

This Policy applies to all personal data that is subject to European data protection law which is then transferred from Exporting Entities to Importing Entities and onward transfers from Importing

Entities to other Importing Entities. Therefore, any obligations and requirements assigned to Group Members under this Policy will be applicable to the extent they refer to personal data which follows under that scope.

This Policy applies to all such personal data processed by Group Members as described in the sections “What personal data does this policy cover?” and “For what purposes is personal data transferred under this policy?”.

Group Members and their employees must fully comply with, and respect, this Policy in the course of processing personal data both for their own purposes, as controllers, and also when acting as processors on behalf of another Group Member acting as controller.

This Policy is additional to, and does not replace or supersede, any specific requirements or rules regarding confidentiality or secrets that might apply to a business area or function within the Avature Group or as required by applicable law.

This Policy, together with a list of current Group Members and their contact details, is published on the company website publicly accessible here.

Application to transfers carried out by Group Members not subject to European data protection law

If a Group Member not subject to European data protection law also has restrictions on international transfers of personal data under its Applicable local law and the competent authorities of such countries recognise this Policy (in whole or in part as required under Applicable local law) as a valid mechanism for legitimizing international transfers of personal data, this Policy may also apply to the personal data transferred from such countries to the Importing Entities. For clarification purposes, this would be without prejudice to the application to the Group Member outside Europe of its Applicable local law.

For these cases, the definitions above should be construed as considering the Group Member transferring personal data not subject to European data protection law as the Exporting Entity.

Accordingly the Policy should be construed and applied mutatis mutandis (e.g. European data protection law shall be construed as the Applicable local law, the supervisory authority as the competent local authority in the pertinent jurisdiction or Member State as the concerned country).

In this context, the Group Member transferring personal data not subject to European data protection law will act as the Liable BCR Member in relation to such international transfer(s) of data.

PART I: BACKGROUND AND ACTIONS

What is data protection law?

European data protection law gives people the right to control how their personal data is processed.
Under European data protection law, when an organisation processes personal data for its own purposes, that organisation is deemed to be a controller of that information and is therefore primarily responsible for meeting the legal requirements. For example, where we are an employer, we are the controller of the personal data that we process about our employees.
When, on the other hand, an organisation processes information on behalf of another entity (for example, to provide a service), the former is deemed to be a processor of the data.

How does European data protection law affect transfers of personal data between Group Members?

European data protection law does not allow transfers of personal data to countries, territories or international organisations outside Europe that do not ensure an adequate level of protection for individuals’ data privacy rights. As some of the countries in which Group Members operate are not regarded by the European Commission as providing an adequate level of protection, appropriate safeguards must be put in place that meet the requirements of European data protection law.

What are Group Members doing about it?

Group Members must take proper steps to ensure that their processing of personal data on an international basis is safe and, hence, lawful. The purpose of this Policy, therefore, is to set out a framework to satisfy the standards contained in European data protection law and, as a result, provide an adequate level of protection for all personal data which is transferred from Exporting Entities to Importing Entities under this Policy.
This Policy is legally binding and applies to all Group Members and their employees where those Group Members process personal data both manually and by automatic means, and requires that Group Members who process personal data as controllers or as processors on behalf of a Group Member, comply with the Rules set out in Part II of this Policy (as applicable) together with the policies and procedures set out in the Appendices in Part III of this Policy. Transfers covered by this Policy include those from controllers to controllers; from controllers to processors; from processors to processors; and from processors to controllers.

What happens to Group Members not subject to European data protection law exporting data?

As explained in the introduction, and for the purpose of designing a global data protection umbrella for Avature Group, if a Group Member not subject to European data protection law also has restrictions on international transfers of personal data under its Applicable local law and the competent authorities of such countries recognise this Policy (in whole or in part as required under Applicable local law) as a valid mechanism for legitimizing international transfers of personal data, this Policy may also apply to the personal data transferred from such countries to the Importing Entities. For clarification purposes, this would be without prejudice to the application to the Group Member outside Europe of its Applicable local law.

What personal data does this policy cover?

Personal data processed under this Policy includes:

• In relation to current and former employees, contractors and temporary employees’ personal data: (a) Personal and contact details (e.g. first name, middle name, surname, mother’s maiden name, title, gender, date of birth, nationality, national identification numbers (e.g. national ID number, Social Security Number, passport number, driver’s license number and/or other government issued identification numbers), email address, home address, home and mobile telephone numbers, nationality, hobbies, etc.); (b) Employment data including work history and contact details (e.g. company provided email, desk and mobile telephone numbers, skype user, description of current position, title, salary plan, pay grade or level, unit/department, location, supervisor(s) and subordinate(s), employee identification number, employment status and type, terms of employment, employment contract, work history, re-hire and termination date(s), length of service, retirement eligibility, performance reviews and ratings (including feedback from managers, stakeholders and other people that work with the employee), promotions and disciplinary records, right to work / immigration data such as permits or visas, etc.); (c) Talent, recruitment and application, education and training details (e.g. details contained in letters of application and resume/CV, personal website or LinkedIn profile directly provided by employees, previous employment background and references, education history, professional qualifications, language and other relevant skills, details on performance management ratings, development plan and willingness to relocate, personal data derived from employees’ participation in Avature Group’s recruitment process such as, for example, those obtained during personal interviews and the emails exchanged with regarding applications or the conversations, etc.); (d) Audio and visual information (e.g. voice and likeness as captured in photographs, video or audio recordings in the context of interviews or meetings conducted over phone or via videoconference, etc.); (e) Financial Information including payroll and compensation details (e.g. bank account details, base salary, bonus, benefits, pay enhancement for dependents, salary step within assigned grade, details on stock options, stock grants and other awards, currency, pay frequency, effective date of current compensation, salary reviews, tax ID social security number and tax code, etc.); (f) Work schedule data (e.g. record of hours worked (where legally required / allowed for), records of holidays, personal days off, medical leaves and other leaves employees have taken, and proof of the reasons (if applicable), overtime and shift work and termination date, etc.); (g) Travel related data (e.g. frequent flyer information (such as alliance airline program and frequent flyer number), usual pick-up and drop-off location, etc.); (h) Security and IT details (e.g. information captured through entry systems and security cameras, information captured through IT usage including access and authentication information, Internet browsing history, phone numbers dialled, documents and files stored on company systems or networks (including computer desktops), emails transmitted from and received on the company’s email accounts (to the extent legally permitted), logs, IP address, successful and failed login attempts, information collected through cookies or other similar tracking technologies, etc.); and (i) Any other information voluntarily provided by data subjects (e.g. via complaints, enquiries, interests, etc.).
  Also, special categories of personal data may be processed by the Group Members when necessary and required or permitted by the applicable law for the purposes described in the following section.
• In relation to employees’ relatives’ personal data: (a) Personal and contact details (e.g. name, surname, contact details such as emergency contact number, etc.); (b) Other information about the employees in relation or about their family where legally required / allowed for (e.g. family group, name and other relevant information about children and other dependants (including them and/or their children’s birth certificates), marital status, legal or de facto spouse, marriage certificate, etc.);.
• In relation to current and former job applicants’ personal data: (a) Personal and contact details (e.g. first name, surname, country, state and city of residence, email address, home address, home and mobile telephone numbers, nationality, etc.); (b) Employment data including work history (e.g. current position, title, location and company and work history, salary plan, pay grade or level, right to work / immigration data such as permits or visas, etc.); (c) Talent, recruitment and application, education and training details (e.g. details contained in letters of application and resume/CV, personal website or LinkedIn profile directly provided by job applicants, previous employment background and references, education history, professional qualifications, language and other relevant skills, details on performance management ratings, development plan and willingness to relocate, personal data derived from job applicants’ participation in Avature Group’s recruitment process such as, for example, those obtained during personal interviews and the emails exchanged with regarding applications or the conversations, etc.); and (d) Audio and visual information (e.g. voice and likeness as captured in photographs, video or audio recordings in the context of interviews conducted over phone or via videoconference, etc.).
• In relation to customers, prospects, suppliers, providers, partners, business associates and advisors’ (including their employees, representatives and/or agents) personal data: (a) Personal and contact details (e.g. name, surname, telephone number, email address, postal address, etc.); (b) Professional details (e.g. position / job title, company details, professional contact details, etc.); (c) Contractual data (e.g. purchase orders, invoices, contracts and other agreements that may contain personal data regarding these data subjects, etc.); (d) Financial and payment information (e.g. bank account details, credit card details, etc.); (e) Audio and visual information (e.g. voice and likeness as captured in photographs, video or audio in the context of meetings conducted over the phone or via videoconferencing, or for security purposes (including information captured through entry systems and security cameras, etc.); (f) IT information (e.g. IP address, user ID, passwords, logs (including profile details) of Avature group websites or portals, etc.); and (g) Other details about the professional relationship with Avature Group (e.g. complaint data, shared communications, etc.).
• In relation to website users’ personal data: (a) Personal and contact details (e.g. name, surname, telephone number, email address, postal address, etc.); (b) Professional details (e.g. position / job title, company details, professional contact details, etc.); (c) IT information (e.g. IP address, user ID, passwords, logs about usage (including profile details) of Avature group websites or portals, data collected via Avature application including data resulting from the access to users’ camera and/or photo library (provided they expressly authorized such access) and other information users may provide that is useful for the future development of the app and for support purposes, etc.); (d) Navigation and usage data (e.g. information collected automatically from data subjects (i.e. through cookies or other similar technologies) regarding their use of websites, IP address, etc.); and (e) Other details about their relationship with Avature Group (e.g. queries, interests, shared communications, etc.).

For what purposes is personal data transferred under this policy?

Personal data is transferred under this Policy for the following purposes:

• Transfers of current and former employees, contractors and temporary employees’ personal data take place between Group Members globally (see the location of all such Group Members here), whatever the origin of the data, for the purposes of (a) managing work activities and personnel generally (e.g. recruitment, appraisals, performance management, promotions, succession planning and career development, payroll management, administering internal mobility, leaves / absences, transfers and secondments, compiling and managing existing employee directories, planning and monitoring of training requirements and career development activities and skills, managing and reporting disciplinary matters and terminations, reviewing employment decisions, ascertaining and making decisions related to employees’ fitness to work and workplace adjustments, making business travel arrangements, managing business expenses and reimbursements, facilitating business communications, negotiations, transactions and conferences, monitoring compliance with internal policies and procedures and other monitoring activities as required / allowed for by applicable laws (e.g. internal reporting systems), performing workforce analysis and planning, performing background checks as required / allowed for by applicable laws, etc.); (b) carrying out aggregated segmentations, statistics and analysis regarding employees’ activity data (e.g. for projection of the interview processes, candidate sources, performance, etc.) in order to improve understanding of, and inform decisions about, the employee population in regards to, among others, talent recruitment, career planning and succession planning; (c) supporting the management of the services provided by the Avature Group and its business operations (e.g. managing and allocating company assets and human resources, operating, managing and securing IT and communication systems and infrastructure, office equipment and other property, strategic planning, project management, business continuity, compilation of audit trails and other reporting tools, maintaining records relating to manufacturing and other business activities, budgeting, financial management and reporting, communications, managing mergers, acquisitions, and re-organizations or disposals, etc.); (d) complying with applicable legal obligations and other requirements (e.g. Labour and Social Security obligations, record keeping and reporting obligations, conducting audits, ensuring compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claim, etc.); and (e) providing a wide variety of services to other Group Members (e.g. IT technology and systems, payroll, Human Resources selection and management, internal audit and compliance, document destruction, document transport, as well as legal management and coordination services in certain areas such as data protection, etc.).
  In relation to employees’ special categories of personal data, such data may be processed by the Group Members if required in order to properly fulfil its purposes (e.g. establishment of suitable conditions in case of physical limitations or special needs, absence management and administration, premises’ access control, provision of employment-related health benefits, etc.) and only as necessary for the purposes of carrying out the obligations and exercising specific rights of Group Members or of the data subject in the field of employment and social security and social protection law (Article 9.2(b)) and for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services (Article 9.2(h)). Additionally, special categories of personal data may be processed for the provision of a wide variety of services to other Group Members (e.g. legal advisory services, labour litigation services, whistleblowing line, archiving and document custody services, insurance services, internal reporting management services, corporate security and general services, finance services, etc.).
• Transfers of employees’ relatives’ personal data personal data take place between Group Members globally (see the location of all such Group Members here), whatever the origin of the data, for the purposes of managing payroll benefits affecting personnel´s relatives.
• Transfers of current and former job applicants’ personal data take place between Group Members globally (see the location of all such Group Members here), whatever the origin of the data, for the purposes of (a) managing recruitment activities generally (e.g. evaluating applications and making hiring decisions, communicating with applicants in relation to the recruitment process and/or their application(s), etc); (b) carrying out aggregated segmentations, statistics and analysis regarding candidate’s activity data (e.g. in preparation of the interview processes, candidate sources, etc.); (c) managing membership for the Talent Community (e.g. offering the possibility to voluntarily join the Talent Community and (only under consent) consider joiners for future job opportunities and send them job recommendations or other related information); (d) complying with applicable legal obligations and other requirements (e.g. conducting audits, ensuring compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claim, etc.); (e) providing a wide variety of services to other Group Members (e.g. IT technology and systems, Human Resources selection and management, internal audit and compliance, document destruction, document transport, as well as legal management and coordination services in certain areas such as data protection, etc.).
• Transfers of customers, prospects, suppliers, providers, partners, business associates and advisors (including their employees, representatives and/or agents)’ personal take place between Group Members globally (see the location of all such Group Members here), whatever the origin of the data, for the purposes of (a) managing the contractual relationship with them generally (e.g. performing agreements in place and /or taking steps to enter into such agreements, for business purposes and communications, establishing, renewing, maintaining or terminating the business relationships, providing access to Internet-based activities and our premises, maintaining business records, conducting auditing, accounting, financial and economic analysis, performing payment and related accounting functions, etc.); (b) managing and ensuring security (e.g. safeguarding IT infrastructure, office equipment and other property, etc.); (c) managing business operations (e.g. operating and managing the IT and communications systems, managing product and service development, improving products and services, managing company assets, allocating company assets and human resources, strategic planning, project management, business continuity, compilation of audit trails and other reporting tools, maintaining records relating to manufacturing and other business activities, budgeting, financial management and reporting, communications, managing mergers, acquisitions, and re-organizations or disposals, etc.); (d) planning and executing marketing strategies generally (e.g. marketing research, planning campaigns and developing marketing strategies, monitoring and reporting on the success of campaigns, etc.); (e) complying with the applicable legislation (e.g. commercial, tax, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claim, etc.); and (f) providing a wide variety of services to other Group Members (e.g. IT technology and systems, internal audit and compliance, document destruction, document transport, risk management, procurement of products and/or services, electronic invoicing, management of marketing and communication campaigns, as well as legal management and coordination services in certain areas such as data protection, etc.).
• Transfers of website users’ personal data take place between Group Members globally (see the location of all such Group Members here), whatever the origin of the data, for the purposes of (a) managing the provision of services generally (e.g. developing and providing the online features and content, managing websites, dealing with inquiries and requests, providing support, etc.); (b) managing and ensuring security (e.g. safeguarding IT infrastructure, ensuring the security and integrity of systems, servers and websites, etc.); (c) carrying out aggregated segmentations, statistics and analysis (e.g. understanding how the services are being used, improving and developing website and service features, enhancing performance and available support, etc.); (d) planning and executing marketing strategies generally (e.g. marketing research, planning campaigns and developing marketing strategies, monitoring and reporting on the success of campaigns, etc.); (e) complying with the applicable legislation (e.g. commercial, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claim, etc.); and (f) providing a wide variety of services to other Group Members (e.g. IT technology and systems, internal audit and compliance, management of marketing and communication campaigns, as well as management and coordination services in certain areas such as data protection, etc.).

Further information

Avature Group has a team of data protection specialists (with a Group Data Protection Officer [as this term is defined below] leading the team) in charge of ensuring that all Group Members are in strict compliance with the applicable data protection legislation (“Privacy Team”). If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact the Privacy Team at the address below. The Privacy Team will either deal with the matter, forward it to the appropriate person or department within Avature Group or escalate the issue to Avature Group’s data protection officer (“Data Protection Officer”) when appropriate.

Attention: Privacy Team
Online Form: https://www.avature.net/contact-privacy-officer/

The Privacy Team is responsible for ensuring that changes to this Policy are notified in accordance with Appendix 5.
If you are unhappy about the way any other Group Member has processed your personal data, Avature Group has a separate complaint handling procedure which is set out in Part III, Appendix 3.

PART II: OBLIGATIONS OF GROUP MEMBERS AS EITHER CONTROLLERS OR PROCESSORS

Part II of this Policy is divided into three sections:

• Section A addresses the basic principles under European data protection law that a Group Member must observe.
• Section B deals with the practical commitments made by Group Members to the competent supervisory authorities in connection with this Policy.
• Section C describes the third-party beneficiary rights that Group Members have granted to data subjects under Part II of this Policy.

SECTION A: BASIC PRINCIPLES

RULE 1 – LAWFULNESS AND FAIRNESS

Rule 1A – Group Members will first and foremost comply with this Policy and any Applicable DP Local Law in a harmonized manner.

As organisations, Group Members will, subject to the provisions below, comply with any applicable legislation relating to personal data (e.g. in Europe, the European data protection law) and will ensure that where personal data is processed this is done in accordance with this Policy and Applicable Local Law.

Where this Policy applies and:

• there is no Applicable Local Law, or the law does not meet the standards set out by the Rules in this Policy, Group Members’ position will be to process personal data adhering to the Rules set forth in this Policy;
• Applicable Local Law requires a higher level of protection than is provided for in this Policy, the higher level of protection will take precedence over this Policy; or
• Applicable Local Law prevents Group Members from fulfilling, or has a substantial effect on its ability to comply with its obligations under this Policy, Group Members will follow the process set out in Rule 15.

Rule 1B – Group Members will ensure that their processing of personal data is fair and lawful and that a legal basis exists for processing of personal data, where required.

Group Members will ensure that their processing of personal data is fair and lawful, and that a legal basis for processing personal data exists where required. Group Members will only process personal data where:

• the data subject has given consent to the processing of his or her personal data and that consent meets the standards under European data protection law (i.e. it is freely given, specific, informed, unambiguous and as easy to withdraw as to give); or
• it is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject before entering into a contract; or
• it is necessary for compliance with a legal obligation laid down by law to which the Group Member is subject, and the law meets an objective of public interest and is proportionate to the legitimate aim pursued; or
• it is necessary in order to protect the vital interests of the data subject or of another natural person; or
• it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Group Member, where the basis for the processing is laid down by law, which meets an objective of public interest and is proportionate to the legitimate aim pursued; or
• it is necessary for the purposes of the legitimate interests pursued by a Group Member or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Where the processing of personal data relates to criminal convictions and offences or related security measures, Group Members will not carry out such processing other than under the control of official authority or when the processing is authorised by Applicable Local Law that provides appropriate safeguards for the rights and freedoms of data subjects in accordance with legal bases above.

Rule 1C – Without prejudice to Rule 1B above, the processing of special categories of personal data is prohibited unless a derogation such as those under European data protection law applies.

Processing of special categories of personal data is only permitted on certain grounds, including:

• Group Member has obtained explicit consent to the processing of any special category of personal data relating to that data subject for one or more specified purposes unless Applicable Local Law provides that the prohibition to processing special category data may not be lifted by the data subject; or
• the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Group Member or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Applicable Local Law or a collective agreement pursuant to Applicable Local Law providing for appropriate safeguards for the fundamental rights and interests of data subjects; or
• the processing is necessary in order to protect the vital interests of a data subject or of another natural person where the data subject is physically or legally incapable of giving consent; or
• the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; or
• the processing relates to personal data that is manifestly made public by the data subject; or
• the processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in a judicial capacity; or
• the processing is necessary for reasons of substantial public interest on the basis of Applicable Local Law provided that it is proportionate to the aim pursued, respects the essence of data protection, and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject; or
• the processing is necessary for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Applicable Local Law provided that the processing is undertaken by or under the responsibility of a professional subject to duties of confidentiality under Applicable Local Law or by rules established by national competent bodies; or
• the processing is necessary for reasons of public interest in the area of public health on the basis of Applicable Local Law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, in particular duties of professional confidentiality; or
• the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on Applicable Local Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Rule 1D – Group Members will assess the impact of any processing of personal data that will involve high risks to the rights and freedoms of data subjects.

Group Members, when acting as controllers, will assess the necessity and proportionality of any new processing of personal data, and in the case it involves high risks to the rights and freedoms of data subjects, it will carry out a data protection impact assessment in accordance with European data protection law. In the event that the data protection impact assessment indicates that the processing will result in a high risk to data subjects, Group Members will be required to consult the competent supervisory authorities prior to beginning processing in the absence of measures taken to mitigate the risk.

Group Members acting as processors on behalf of other Group Members will be required to co-operate as appropriate to assist controllers in ensuring compliance with their obligations under this Rule 1D.

RULE 2 – ENSURING TRANSPARENCY AND PROCESSING PERSONAL DATA FOR A KNOWN PURPOSE ONLY

Rule 2A – Group Members will inform data subjects, about how their personal data will be processed.

Group Members will ensure that data subjects are always told in a clear and comprehensive way (usually by means of a fair processing statement) how their personal data will be processed. The relevant Group Member will provide the information required by European data protection law, which will include at least the following:

• the identity and contact details of the controller, including the contact details of the data protection officer and representative, as applicable;
• the purpose and legal basis for processing, including an explanation about any processing based on legitimate interests and any new or different compatible purposes;
• the recipients or categories of recipients to which personal data can be transferred;
• information about the safeguards in place to protect personal data when it is transferred internationally and how to access or obtain a copy of such safeguards. In the case of transfers of personal data between an Exporting Entity and an Importing Entity based on this Policy, the information provided will include reference to this Policy and how to access it;
• the period for which personal data will be stored or the criteria used to determine that period;
• details of data subjects’ rights, including right of access, rectification, erasure, restriction, objection, portability, the right to withdraw consent (where processing is based on consent) and the right to complain to a supervisory authority;
• whether the provision of the information is a statutory or contractual requirement, and the consequences of the failure to provide personal data in such circumstances; and
• information about the existence of automated decision-making, including profiling, and at least in cases where such decisions produce legal effects concerning the data subject or similarly significantly affect the data subject, or are based on special categories of personal data, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The requirements of the Applicable Local Law where the personal data is collected will determine whether any additional information has to be provided to data subjects.

This information will be provided when personal data is obtained by Group Members from the data subject or within a timeframe otherwise permitted under European data protection law.

Where Group Members obtain data subject’s personal data from a source other than that data subject, the relevant Group Member will provide this information to the data subject, together with information about the source and categories of personal data received from third parties, as follows:

• within a reasonable period of time after personal data is collected, but at the latest within one (1) month;
• if the personal data is to be processed for communication with the data subject, at the latest at the time of the first communication to that data subject; or
• if it is to be disclosed to a third party, no later than the time when the data is first disclosed.

Group Members will follow this Rule 2A unless not providing information is specifically permitted under European data protection law.

Rule 2B – Group Members will only obtain and process personal data for those purposes which are known to the data subject, or which are compatible with their expectations and are relevant to Group Members.

Rule 1A provides that Group Members will comply with any applicable legislation relating to the processing of personal data. This means that Group Members will process personal data for specific, explicit and legitimate purposes as described in section “For what purposes is Personal Data transferred under this Policy?” above and will not process that personal data in a way which is incompatible with those purposes.

Group Members will identify and make known the purposes for which personal data will be processed (including the secondary uses and disclosures of the data) in accordance with Rule 2A.

Rule 2C – Group Members may only process personal data for a different or new purpose if it is compatible with the purpose for which it was collected.

If a Group Member collects personal data for a specific purpose in accordance with Rule 2A (as communicated to the data subject via the relevant fair processing statement) and as described in Rule 2B, and subsequently the Group Member wishes to process personal data for a different or new purpose, it will not further process that personal data in a way incompatible with the purpose for which it was collected, unless such further processing is based on the consent of the data subject or is required by the law

RULE 3 – ENSURING DATA QUALITY

Rule 3A – Group Members will keep personal data accurate and up to date.

In order to ensure that the personal data held by Group Members is accurate and up to date, Group Members actively encourage data subjects to inform them when their personal data changes. Group Members will take reasonable steps to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

Rule 3B – Group Members will only keep personal data for as long as is necessary for the purposes for which it is processed.

Group Members will comply with Avature Group record retention policies and procedures as revised and updated from time to time. This means, amongst other things, that Group Members delete or block, as the case may be, personal data that is no longer necessary for the purpose for which it is collected and further processed.

Rule 3C – Group Members will only process personal data which is adequate, relevant and limited to what is necessary for the purposes of such processing.

Group Members will only process personal data that is required in order to properly fulfil its purposes.

RULE 4 – TAKING APPROPRIATE SECURITY MEASURES

Rule 4A – Group Members will adhere to Avature Group IT security policies.

Group Members will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, in particular where processing involves transmission of personal data over a network, and against all other unlawful forms of processing. To this end, Group Members will comply with the requirements in the security policies in place within Avature Group, as revised and updated from time to time, together with any other security procedures relevant to a business area or function. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

Group Members will implement and comply with breach notification policies as required by Applicable Local Law as described in the following Rule.

Rule 4B – Group Members have implemented a data breach notification policy.

Group Members have implemented a personal data breach response policy (as revised and updated from time to time) which sets out the process which must be followed in the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (a “Personal Data Breach”).

In particular, in the event of a Personal Data Breach, the person who becomes aware of the breach within the relevant Group Member will, without undue delay and in any event within twenty-four (24) hours from the moment he/she becomes aware, notify it to Avature’s Data Protection Officer and the Security Team, following the steps set out in Avature’s personal data breach response policy.

Once Avature’s Data Protection Officer has received the information concerning the Personal Data Breach, he/she will assess, together with the Legal Team, whether it can be considered as a Personal Data Breach or, on the contrary, as a security incident that has not affected personal data.

Once it has been concluded that the security incident affects personal data, the Legal Team and / or the Data Protection Officer will determine if it should be notified to the competent supervisory authority within the required timeline (as per European data protection law, without undue delay and, where feasible, not later than 72 hours after having become aware of it), unless the Personal

Data Breach is unlikely to result in a risk to the rights and freedoms of data subjects. In any case, the Legal Team and / or the Data Protection Officer will ensure that the Personal Data Breach is also notified without undue delay to the Group Member acting as a controller, where applicable, and the Liable BCR Member(s).

Data subjects will be notified without undue delay in cases where the Personal Data Breach is likely to result in a high risk to their rights and freedoms, unless such notification is not required under European data protection law.

Personal Data Breaches suffered by Group Members, comprising the facts, the effects of such incidents and the remedial action taken, will be documented in a Personal Data Breach report which will be available to the competent supervisory authority upon request.

Rule 4C – Group Members will ensure that service providers and other entities processing personal data on their behalf also adopt appropriate and equivalent security measures.

Group Members using a service provider (acting as a processor) that has access to data subjects’ personal data (e.g. a payroll provider) or other entities processing personal data on their behalf, will comply with their respective due diligence processes for the selection of the processor to ensure that the processor has appropriate technical and organizational security measures in place to safeguard the personal data. Group Members shall impose contractual obligations in writing on the processor that comply with the requirements of European data protection law in the form of a data processing agreement. Said agreement shall at least provide for the following:

• The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects;
• The obligations and rights of the controller;
• The following obligations for the entity acting as a processor:
  • To process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by a law to which the processor is subject (in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest);
  • To ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in the processing of the personal data;
  • Not to engage another processor in relation to the personal data without prior specific or general written authorisation of the controller and to execute, as the case may be, a written agreement with the further processor with the same data protection obligations as set out in the contract or other legal act between the controller and the processor (in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of European data protection law);
  • Taking into account the nature of the processing, to assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights (further described in Rule 5 below);
  • To assist the controller in ensuring compliance with the obligations related to the implementation of due security measures, the undertaking of data protection impact assessments and related consultations to the supervisory authorities; and notification duties of personal data breaches to the supervisory authorities and data subjects (where applicable);
  • At the choice of the controller, to delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless storage of the personal data is required by law;
  • To make available to the controller all information necessary to demonstrate compliance with the obligations as a processor and to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller; and
  • To immediately inform the controller if, in its opinion, an instruction infringes European data protection laws.

Where a Group Member (Entity A) processes personal data as a processor on behalf of a Group Member processing personal data as a controller (Entity B), Entity A will act only on the documented instructions of Entity B and comply with the obligations set out in the pertinent data processing agreement.

RULE 5 – HONOURING DATA SUBJECTS’ RIGHTS

Rule 5 – Group Members will deal with data subjects’ data protection rights requests (including the right to access, rectify, erase, restrict or transmit personal data, or objections to the processing of personal data, as well as withdrawal of consent), in accordance with the Data Subjects’ Rights Procedure set out in Appendix 1.

On request, data subjects are entitled in certain circumstances, as prescribed by European data protection law, to request the following rights:

• right of access, by which the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information about the processing which shall include the same elements as those listed under Rule 2A above;
• right to rectification, by which the data subject shall have the right to obtain the rectification of any personal data that might be inaccurate or incomplete;
• right to erasure or “right to be forgotten”, by which the data subject shall have the right to have his or her personal data erased without undue delay where one of the following grounds apply: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing and, as applicable, there are no overriding legitimate grounds for the processing; (iv) the personal data have been unlawfully processed; (v) the personal data have to be erased for compliance with a legal obligation; or (vi) the personal data have been collected in relation to the offer of information society services to a child;
• right to restriction of processing, by which the data subject shall have the right to request the restriction of the processing of his or her personal data when one of the following applies (i) the accuracy of the personal data is contested by the data subject, for the period required to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject;
• right to have each recipient to whom the personal data have been disclosed notified regarding any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort. The data subject may also request to be informed about such recipients;
• right to data portability, by which the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured format, and to transmit such data to another controller where the processing is based on consent or necessary for the performance of a contract and the processing is carried out by automated means;
• right to object, by which the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on public or legitimate interest, including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such marketing (in which case the personal data shall no longer be processed for such purposes);
• right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her (where applicable). This shall not be applicable if the decision is (i) necessary for entering into, or performance of, a contract; (ii) authorised by a law; or (iii) based on the data subject’s explicit consent. In the case of (i) or (iii), the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision; and
• right to withdraw consent given for a specific processing at any time. It shall be as easy to withdraw as to give consent.

Additionally, data subjects are entitled to lodge a complaint with a supervisory authority if the relevant data subject considers that the processing of personal data relating to him or her infringes European data protection law.

Group Members will follow the steps set out in the Data Subjects’ Rights Procedure (Appendix 1) when dealing with such requests.

RULE 6 – ENSURING ADEQUATE PROTECTION FOR TRANSFERS AND ONWARD TRANSFERS

Rule 6 – Group Members will not transfer personal data to third parties outside Europe without ensuring adequate protection for the personal data in accordance with the standards set out by this Policy and in accordance with European data protection law.

Transfers and onward transfers of personal data from Group Members subject to European data protection law to third parties outside Europe are not allowed without appropriate steps being taken as required by European data protection law.

These steps may include, among others:

• confirming that the third party is located in a country which the European Commission has found to offer an adequate level of protection for the personal data transferred; or
• signing up to appropriate standard contractual clauses adopted by the European Commission or other mechanisms similar to those foreseen under European data protection laws; or
• ensuring that the transfer is necessary for: (i) the performance of a contract between the data subject and the transferring Group Member or for the implementation of pre-contractual measures taken at the data subject’s request; (ii) the conclusion or performance of a contract concluded in the interest of the data subject between the transferring Group Member and another party; (iii) important reasons of public interest; (iv) the establishment, exercise or defence of legal claims; (v) the protection of the vital interests of the data subject or of another natural person and where the data subject is incapable of giving consent; or (vi) obtaining the explicit consent of data subjects, after those data subjects have been informed of the possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards.

These steps must be implemented by Group Members when they are a controller or a processor. However, and in addition to the above, Group Members acting as processors will only transfer personal data outside Europe in accordance with the instructions of the controller as set out in the relevant data processing agreement.

SECTION B: PRACTICAL COMMITMENTS

RULE 7 – COMPLIANCE AND ACCOUNTABILITY

Rule 7A – Group Members will be responsible for and will be able to demonstrate compliance with this Policy and will have appropriate staff and support to ensure and oversee compliance with this Policy throughout the business.

The Avature Group has appointed a team of data protection specialists (with a Group Data Protection Officer leading the team) in charge of ensuring and overseeing that all Group Members are in strict compliance with this Policy on a day-to-day basis. Additionally, Avature Group has a Risk Team and Security Team which assist the Privacy Team in dealing with the technical aspects of privacy compliance.

The Data Protection Officer enjoys the highest management support for the fulfilling of its tasks (to whom it shall report directly and also inform if any questions or problems arise during the performance of its duties as further described below) and has the following responsibilities:

1. leading the Privacy Team, including coordinating with the Risk Team and Security Team on technical aspects of privacy compliance;
2. implementing / informing about and monitoring privacy related practices, policies and issues within the Avature Group, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
3. escalating issues to senior management for proper consideration in accordance with acceptable standard practice;
4. cooperating and coordinating with competent supervisory authorities; and
5. acting as the contact point for competent supervisory authorities and data subjects on issues or requests relating to the processing of personal data.

The team of data protection specialists assist the Data Protection Officer comply with obligations above and, more specifically, control and manage data protection compliance on a day-to-day basis (including mainly handling local complaints from data subjects, monitoring compliance of corporate policies at local level and reporting major privacy issued to the Data Protection Officer).
Group Members will ensure that the Data Protection Officer’s contact details (or those or the Privacy Team) are always published together with the Policy.
Where required for reasons of the complexity and volume of the specific task, the Privacy Team is supported by external counsel.

Rule 7B – Group Members will implement appropriate technical and organisational measures by design and default to enable and facilitate compliance with the Policy in practice.

Taking into account the state of the art and cost of implementation and the scope, nature, context and purposes of the processing, Group Members will implement appropriate technical and organisational measures which meet the principles of data protection by design and by default as required by European data protection law. Group Members will integrate such measures into the processing when determining the means of the processing, and the time of processing itself to facilitate the protection of personal data being processed, and in order to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

Rule 7C – Group Members processing personal data will maintain a written record (including in electronic form) of their processing activities and make that record available to competent supervisory authorities on request.

The data processing records maintained by Group Members, acting as controllers within the Avature Group, will contain:

• the Group Member’s name and contact details and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
• the purposes for which personal data is processed;
• a description of the categories of data subjects about whom personal data is processed and the personal data processed;
• the categories of recipients to whom personal data have been or will be disclosed including recipients in third countries or international organisations;
• details of the third country or countries to which personal data is transferred, including the identification of that third country or international organisation and the documentation of suitable safeguards implemented to legitimize such transfers (unless the country has been declared adequate under European data protection laws);
• where possible, the period for which personal data will be retained; and
• where possible, a general description of the technical and organisational security measures used to protect personal data.

The data processing records maintained by Group Members, acting as processors for a Group Member which is the controller, will contain:

• the Group Member’s name and contact details and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
• the categories of processing carried out on behalf of each controller;
• details of the third country or countries to which personal data is transferred, including the identification of that third country or international organisation and the documentation of suitable safeguards implemented to legitimize such transfers (unless the country has been declared adequate under European data protection laws); and
• where possible, a general description of the technical and organisational security measures used to protect personal data.

The data processing records maintained by Group Members shall be in writing, including in electronic form, and will be made available to competent supervisory authorities on request.

RULE 8 – TRAINING

Rule 8 – Group Members will provide appropriate training to employees who have permanent or regular access to personal data, who are involved in the processing of personal data or in the development of tools used to process such personal data.

Group Members will provide appropriate and up-to-date training to all employees; specially to those who have permanent or regular access to personal data and / or who are involved in the processing of such personal data or in the development of tools used to process such personal data. Such training will be provided at least once a year and will cover, among others, procedures of managing requests for access to personal data by public authorities.

RULE 9 – AUDIT

Rule 9 – Group Members will comply with the Audit Protocol set out in Appendix 2.

Group Members will comply with the Audit Protocol by performing regular internal audits and allowing for external audits where required in accordance with the formal assessment process as stipulated in the Audit Protocol. The outcome of such audits will be communicated in accordance with Appendix 2.

RULE 10– COMPLAINT HANDLING

Rule 10 – Group Members will comply with the Complaint Handling Procedure set out in Appendix 3.

Group Members will comply with the Complaint Handling Procedure as set out in Appendix 3 in order to handle complaints of data subjects and to safeguard the processing of personal data by Group Members. Group Members will also allow for exercising the third-party beneficiary rights as set out in Section C of this Policy.

RULE 11 – CO-OPERATION WITH SUPERVISORY AUTHORITIES

Rule 11 – Group Members will comply with the Co-operation Procedure set out in Appendix 4.

Group Members will comply with the Co-operation Procedure set out in Appendix 4 and will co-operate, accept to be audited and inspected, including where necessary, on-site, by the supervisory authorities in relation to this Policy; as well as to take into account their advice and abide by their decisions on any issues related to this Policy.

RULE 12 – UPDATE OF THE RULES

Rule 12 – Group Members will comply with the Updating Procedure set out in Appendix 5.

Group Members will comply with the Updating Procedure set out in Appendix 5 and will communicate, without undue delay, any update of this Policy and of the list Group Members to competent supervisory authorities, the data subjects concerned and Group Members, as necessary.

RULE 13 – ACTION WHERE NATIONAL LEGISLATION AFFECTS COMPLIANCE WITH THE POLICY

Rule 13A – Group Members commit to only using this Policy as a tool for transfers to Importing Entities where they have duly assessed that the law and practices in the third country of destination applicable to the processing of the personal data by the Importing Entities, including any requirements to disclose personal data or measures authorising access by public authorities, do not prevent them from fulfilling its obligations under this Policy.

Group Members will use this Policy as a tool to safeguard international transfers only where they have assessed that the law and practices in the third countries of destination applicable to the processing of the personal data by the Importing Entities, including any requirements to disclose personal data or measures authorizing access by public authorities, do not prevent them from fulfilling their obligations under this Policy. This shall be based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society, are not in contradiction with this Policy.

In assessing the laws and practices of the third countries which may affect the respect of the commitments contained in this Policy, Group Members shall take due account, in particular, of the following elements:

1. the specific circumstances of the transfer or set of transfers, and of any envisaged onward transfers within the same third country or to another third country, including:
   • purposes for which the data are transferred and processed (e.g. marketing, HR, storage, IT support, etc.);
   • types of entities involved in the processing (the Importing Entity and any further recipient of any onward transfer);
   • economic sector in which the transfer or set of transfers occur;
   • categories and format of personal data transferred;
   • location of the processing including storage; and
   • transmission channels used;
2. the laws and practices of the third countries of destination relevant in light of the circumstances of the transfer, including those requiring to disclose data to public authorities or authorising access by such authorities and those providing for access to these data during the transit between the countries of the Exporting Entities and the countries of the Importing Entities, as well as the applicable limitations and safeguards;
3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under this Policy, including measures applied during transmission and to the processing of the personal data in the countries of destination.
   Where any safeguards in addition to those envisaged under this Policy should be put in place, the Liable BCR Member and the Data Protection Officer, shall be informed and involved in the assessment.

Group Members shall document appropriately such assessment as well as the supplementary measures selected and implemented. They shall make such documentation available to the competent supervisory authority upon request.

Importing Entities shall promptly notify Exporting Entities if, when using this Policy as a tool for transfers, and for the duration of the membership, they have reasons to believe that they are or have become subject to laws or practices that would prevent them from fulfilling their obligations under this Policy, including following a change in the laws in the pertinent third country or a measure (such as a disclosure request). This information should also be provided to Liable BCR Member.

Upon verification of such notification, the relevant Exporting Entity, along with Liable BCR Member and the Data Protection Officer, commit to promptly identify supplementary measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the Exporting Entity and / or the Importing Entity in order to enable them to fulfil their obligations under this Policy. The same applies if an Exporting Entity has reason to believe that an Importing Entity can no longer fulfil its obligations under this Policy.

Where the relevant Exporting Entity, along with Liable BCR Member and the Data Protection Officer, assesses that the Policy –even if accompanied by supplementary measures– cannot be complied with for a transfer or set of transfers or if instructed by the competent supervisory authority, it commits to suspend the transfer or set of transfers at stake, as well as all transfers for which the same assessment and reasoning would lead to a similar result, until compliance is again ensured or the transfer is ended.

Following such a suspension, the Exporting Entity has to end the transfer or set of transfers if this Policy cannot be complied with and compliance with this Policy is not restored within one month of suspension. In this case, personal data that has been transferred prior to the suspension, and any copies thereof, should at the choice of the Exporting Entity be returned to it or destroyed in their entirety.

The Liable BCR Member and the Data Protection Officer, will inform all other Group Members of the assessment carried out and of its results so that the identified supplementary measures will be applied in case the same type of transfers are carried out by any other Group Members or, where effective supplementary measures could not be put in place, the transfers at stake will be suspended or ended.

Exporting Entities shall also monitor on an ongoing basis, and where appropriate in collaboration with Importing Entities, developments in the third countries to which Exporting Entities have transferred personal data that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers.

Rule 13B – Importing Entities will ensure that where they receive a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data transferred pursuant to the Policy or became aware of any direct access by public authorities to personal data transferred pursuant to the Policy in accordance with the laws of the country of destination, Importing Entities will promptly notify the Exporting Entity and, where possible, the data subject (if necessary with the help of the Exporting Entity).

Importing Entities will promptly notify the relevant Exporting Entity and, where possible, the data subject (if necessary, with the help of the Exporting Entity) if it:

• receives a legally binding request by a public authority under the laws of the country of destination, or of another third country, for disclosure of personal data transferred pursuant to the Policy (such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided); or
• becomes aware of any direct access by public authorities to personal data transferred pursuant to the Policy in accordance with the laws of the country of destination (such notification shall include all information available to the Importing Entity).

If prohibited from notifying the Exporting Entity and / or the data subject, the Importing Entity will use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information as possible and as soon as possible and will document its best efforts in order to be able to demonstrate them upon request of the Exporting Entity.

The Importing Entity will provide the Exporting Entity, at regular intervals, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges, etc.). If the Importing Entity is or becomes partially or completely prohibited from providing the Exporting Entity with the aforementioned information, it shall without undue delay inform the Exporting Entity accordingly.

The Importing Entity will preserve the abovementioned information for as long as the data are subject to the safeguards provided by the Policy and make it available to the competent supervisory authority upon request.

The Importing Entity will review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and will challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The Importing Entity shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the Importing Entity shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules.

The Importing Entity will document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Exporting Entity. It shall also make it available to the competent supervisory authority upon request.

The Importing Entity will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
In any event, Group Members will ensure that any transfers of personal data under this Policy that they make to a public authority are not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Where the processing is carried out by a Group Member acting as a processor, under this Policy, it shall also notify the Group Member acting as a controller without undue delay.

RULE 14 – NON-COMPLIANCE WITH THE POLICY AND TERMINATION

Rule 14A – Group Members will only transfer personal data to other Group Members that are effectively bound by the Policy and can deliver compliance.

No transfer shall be made to a Group Member unless such Group Member is effectively bound by the Policy and can deliver compliance. When an Importing Entity is unable to comply with the Policy, for whatever reason, it shall promptly inform the Exporting Entity. In the event the Importing Entity is in breach of the Policy or unable to comply with the Policy, the Exporting Entity shall suspend or not carry out the transfer.
The Importing Entity shall at the choice of the Exporting Entity immediately return or delete the personal data that has been transferred under the Policy in its entirety where:

• the Exporting Entity has suspended the transfer, and compliance with this Policy is not restored within a reasonable time, and in any event within one month of suspension; or
• the Importing Entity is in substantial or persistent breach of the Policy; or
• the Importing Entity fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under the Policy.

The same shall apply to any copies of the data. The Importing Entity shall certify the deletion of the data to the Exporting Entity. Until the data is deleted or returned, the Importing Entity shall continue to ensure compliance with the Policy. When there is a legal prohibition for the Importing Entity to return or delete the transferred personal data, the Importing Entity warrants that it will continue to ensure compliance with the Policy and will only process the data to the extent and for as long as legally required.

Rule 14B – Importing Entities that cease to be bound by the Policy shall ensure that personal data is appropriately kept, returned or deleted, as applicable.

An Importing Entity that ceases to be bound by the Policy may keep, return or delete the personal data received under this Policy. If the Exporting and Importing Entity agree that the data may be kept by the Importing Entity, protection similar to that required under Chapter V GDPR must be maintained.

SECTION C: THIRD PARTY BENEFICIARY RIGHTS

C.1 Data subjects whose personal data is transferred to an Importing Entity must be able to benefit from certain rights as third party beneficiaries to enforce compliance with:

• Rules 1B and 1C of the Policy (regarding fairness, lawfulness, and processing special categories of personal data);
• Rule 2 of the Policy (regarding transparency and purpose limitation);
• Rule 3 of the Policy (regarding data minimisation and accuracy and limited storage periods);
• Rule 4 of the Policy (regarding the security of personal data and data breach notification obligations);
• Rule 5 of the Policy (regarding data subjects’ rights in relation to their personal data);
• Rule 6 of the Policy (regarding transfers and onward transfers);
• Rule 10 of the Policy (regarding complaint handling);
• Rule 11 of the Policy (regarding co-operation with supervisory authorities);
• Rule 12 of the Policy (regarding the updating procedure of this Policy);
• Rule 13 of the Policy (regarding action where national legislation affects compliance with the Policy);
• The provisions in C1 to C3 granting third-party beneficiary rights and setting the liability and jurisdiction rules under the Policy; and
• The right to access the Policy via www.avature.net/legal, the internal wiki available here, or to obtain a hard copy of the Policy as well as a list of the Group Members bound by this Policy through Avature Group’s online form available here https://www.avature.net/contact-privacy-officer/.

by:

• making a complaint: data subjects may lodge complaints to a Group Member (in accordance with the Complaint Handling Procedure set out in Appendix 3) and/or to the competent supervisory authority in the Member State in which the alleged infringement took place, or in which the data subject works or habitually resides; and / or
• bringing proceedings: data subjects can bring proceedings before the courts of a Member State in which the Group Member has an establishment, or in the Member State in which the data subject has his habitual residence.

These rights do not extend to those elements of the Policy pertaining to internal mechanisms implemented within Group Members, such as details of training, audit programme, compliance network, and mechanism for updating the same.

Additionally, Group Members accept that data subjects may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) GDPR.

C.2 Data subjects may also seek appropriate redress from the Liable BCR Member, which agrees to take the necessary action to remedy any breach of the provisions listed in subsection C1 by any Importing Entity and receive compensation from the Liable BCR Member for any damage whether material or non-material suffered by data subjects as a result of a breach of the provisions listed in Section C1 by an Importing Entity in accordance with the determination of a court or other competent authority.

C.3 For the avoidance of doubt, data subjects shall benefit from the third-party beneficiary rights as described in this Section C and the European courts or competent supervisory authorities shall have jurisdiction as if the breach of the provisions described in this Section C or any of them was caused by the Liable BCR Member.

C.4 In the event of a claim being made in which a data subject has suffered damage where that data subject can demonstrate that it is likely that the damage has occurred because a breach of this Policy, Group Members have agreed that the burden of proof to show that an Importing Entity is not responsible for the breach, or that no such breach took place, will rest with the Liable BCR Member.

PART III: APPENDICES

APPENDIX 1

DATA SUBJECTS’ RIGHTS PROCEDURE

When a Group Member acts as a controller of Personal Data

1. Introduction
   1. When a Group Member processes personal data for its own purposes, said Group Member is deemed to be a controller in respect of that information and is therefore primarily responsible for meeting the requirements of Applicable Local Law in relation to the exercise of data subjects’ rights.
   2. All data subjects whose personal data is processed under the GDPR and in accordance with this Policy have the right to:
      • be informed by the relevant Group Member whether any personal data about them is being processed by said Group Member and, if the Group Member does process their personal data, they are entitled to access it (this is known as the right of access); and
      • rectify, erase, restrict, port and/or object to the processing of their personal data.
   3. In addition, when personal data is transferred to another Group Member outside Europe, such personal data will continue to benefit from the rights referred to in 1.2 above and such rights will be dealt with in accordance with the terms of this Data Subjects’ Rights Procedure (the “Procedure“) and Avature’s Data Subject’s Rights Response Policy.
   4. This Procedure explains how Group Members deal with requests relating to personal data that fall into the categories in section 1.2 and 1.3 above (referred to as “Rights Request” in this Procedure). Where the Applicable Local Law differs from this Procedure and requires a higher level of protection for personal data, the local data protection law will prevail.
   5. Information about how data subjects may exercise the rights described in section 1.2 above is also set out in the fair processing statements provided to data subjects by Group Members.
   6. Requests from data subjects relating to the rights described in section 1.2 above may be made preferably through the relevant website form available here.
2. Data subjects’ rights
   1. A data subject making a Rights Request to a Group Member when the Group Member is a controller of the personal data requested is entitled to:
      • be informed whether the Group Member is processing personal data about that data subject;
      • be given a description of:
        1. the purpose for which the personal data is being processed;
        2. the categories of personal data being processed;
        3. the recipients or categories of recipients to whom the personal data is, or may be, disclosed by the Group Member;
        4. where possible, the envisaged period for which the personal data will be stored, or the criteria used to determine that period;
        5. the existence of the rights to rectification, erasure, restriction of or to object to processing and to withdraw consent or complain to a supervisory authority;
        6. the source of the personal data and the categories of personal data concerned, if it was not collected from the data subject;
        7. the safeguards in place where personal data is transferred to a third country;
        8. the logic involved in (to the extent required by Applicable Local Law) and the significance and consequences of any decision-making undertaken by automatic means, including profiling;
      • be provided with a copy of the personal data held by the Group Member. If the request is made by electronic means, the information shall be provided through electronic means, unless the data subject making the request indicates otherwise;
      • require the rectification, erasure, restriction and portability of their personal data;
      • not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similar significant effects; and/or
      • object to the processing of his or her personal data.
3. Receiving a request
   1. If a Group Member, including a Non-European Group Member, receives any request from a data subject relating to the rights described in section 1.2 above, this must be passed to the office of the Data Protection Officer promptly upon receipt indicating the date on which it was received together with any other information which may assist the Data Protection Officer to deal with the request. The Data Protection Officer will handle the request in accordance with Avature’s Data Subject’s Rights Response Policy.
   2. When the Data Protection Officer has reasonable doubts concerning the identity of the data subject, it may request such information that it may reasonably require in order to confirm the identity of the data subject making the request.
   3. The Data Protection Officer must deal with a Rights Request without undue delay and in any event within one (1) calendar month from its receipt. The Data Protection Officer may extend this period, by up to two (2) further calendar months if necessary, taking into account the complexity and number of the requests. Where the period is extended, the Data Protection Officer will inform the data subject of the extension within one month of receipt of their request, together with the reasons for the delay.
   4. The Data Protection Officer will contact the data subject in writing to confirm receipt of the Rights Request, seek confirmation of identity or further information (e.g. clarification on the processing activities to which the request relates), if required, or decline the request in accordance with section 4 below.
4. Declining Rights Request
   1. A Rights Request may be refused on the following grounds:
      • where the request is made to a European Group Member and relates to the processing of personal data by that Group Member, if:
        1. the refusal is consistent with the data protection law within the jurisdiction in which that Group Member is located; or
        2. the Group Member demonstrates that the request is manifestly unfounded or excessive; or
      • where the Rights Request is made to a non-European Group Member and it is unable to deal with the request in accordance with section 3, the relevant non-European Group Member will only refuse the request if the grounds for such refusal are consistent with the data protection law within the European jurisdiction from which the personal data was transferred.
   2. The Data Protection Officer will inform the data subject about the reasons for the refusal of the request within one (1) month of the receipt of the request and about the data subject’s right to complain to a supervisory authority or seek a judicial remedy in relation to the refusal.
5. Group Member’s response
   1. The Data Protection Officer, following the steps described in Avature’s Data Subject’s Rights Response Policy, will arrange with the different departments of the relevant Avature Group business area a search of all electronic and paper filing systems relevant to the request.
   2. The Data Protection Officer may refer any complex cases to external Advisors for advice, particularly where the request includes information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings.
   3. Where the Rights Request is a request for access, the personal data requested will be collated into a readily understandable format. A cover letter will be prepared by the Data Protection Officer that will include the information required to be provided in response to the Rights Request.
   4. If the Rights Request is for the erasure, rectification, restriction of processing or portability of personal data, or is an objection to processing where the Group Member is the controller for that personal data, such a request must be considered and dealt with as appropriate by the Data Protection Officer. In particular:
      • if the Rights Request is advising of a change or any inaccuracy in a data subject’s personal data, where the Group Member is the controller for that personal data, such information must be rectified or updated accordingly if the Group Member is satisfied that there is a legitimate basis for doing so;
      • when, pursuant to a Rights Request, the Group Member erases, anonymises, updates, corrects or restricts the processing of personal data, either in its capacity as controller or on instruction of a Group Member (acting as a controller) when it is acting as a processor in accordance with section 6 below, the Group Member will notify other Group Members or any sub-processor to whom the personal data has been shared accordingly so that they can also update their records.
   5. If the Rights Request made to the Group Member as a controller is to erase that data subject’s personal data in accordance with the provisions of Applicable Local Law, the matter will be assessed by the Data Protection Officer. Where the processing undertaken by the Group Member is required or permitted by law, or is necessary for the exercising of the right of freedom of expression and information, the request will be refused.
   6. All queries relating to this Procedure are to be addressed to the Data Protection Officer.
      

      When a Group Member acts as a processor

6. Requests made to the Group Member where the Group Member is a processor
   1. When a Group Member processes information on behalf of a controller (e.g. another Group Member to whom it provides a service), the former Group Member is deemed to be a processor of the personal data and the latter, as controller, will be primarily responsible for meeting the legal requirements under Applicable Local Law. This means that when a Group Member acts as a processor, the Group Member acting as controller retains the responsibility to comply with Applicable Local Law.
   2. Certain data protection obligations are passed on to the Group Members acting as processor on the basis of the contractual commitments entered into with Group Members acting as controllers. In particular, the Group Member acting as processor must proceed in accordance with the instructions of the Group Member acting as controller and undertake any reasonably necessary measures to enable the controller to comply with their duty to respect the rights of data subjects. This means that if any Group Member receives a request from a data subject to exercise his or her rights under Applicable Local Law in its capacity as a processor on behalf of another Group Member, it must transfer such request promptly to the relevant Group Member acting as controller and refrain from responding to the request unless expressly authorised to do so.
   3. When, pursuant to section 5.4 above, the Group Member (acting as a processor) is notified by the Group Member (acting as a controller) of a request for erasure, rectification or restriction in relation to personal data that had been previously disclosed by said Group Member, the Group Member (acting as a processor) will update its records accordingly.

APPENDIX 2

AUDIT PROTOCOL

1. Background
   1. Group Members are required to audit their compliance with the Policy and satisfy certain conditions in so doing, and this document describes how Group Members deal with such requirements.
   2. The role of Avature’s Data Protection Officer and Privacy Team is to provide guidance about the processing of personal data subject to the Policy and to assess the processing of personal data by Group Members for potential privacy-related risks on the day-to-day business. The processing of personal data is, therefore, subject to detailed review and evaluation on an on-going basis. Accordingly, although this Audit Protocol describes the formal assessment process adopted by Group Members to ensure compliance with the Policy as required by the competent supervisory authorities, this is only one way in which Group Members ensure that the provisions of the Policy are observed, and corrective actions are taken as required.
2. Approach
   1. Overview of audit
      1. Compliance with the Policy is overseen on a day-to-day basis by the Data Protection Officer and Privacy Team.
      2. The entity responsible for performing the audits of compliance with the Policy and ensuring that such audits address all aspects of the Policy can vary depending on the specific circumstances of the relevant Group Member. Normally, audits are carried out by Avature’s Data Protection Officer (which is guaranteed independence as to the performance of their duties related to these audits), internal or external auditors, as applicable. The relevant auditor will be responsible for ensuring that any issues or instances of non-compliance are brought to the attention of the Data Protection Officer and that any corrective actions to ensure compliance take place within a reasonable timescale.
   2. Timing and scope of audit
      1. As indicated above, the Data Protection Officer will determine the timing of the audits. Audit of the Policy will take place:
         • Every twenty-four (24) months in accordance with Avature Group’s audit procedure(s); and/or
         • more frequently, at the request and/or as determined necessary by the Data Protection Officer.
      2. In the same line, the scope and coverage of the audit performed will be determined by the Data Protection Officer pursuant to a risk-based analysis which will consider relevant criteria, for example: areas of known non-compliance; areas of current regulatory focus; areas of specific or new risk for the business; areas with changes to the systems or processes used to safeguard information; areas where there have been previous audit findings or complaints; the period since the last review; the nature, method and location of the personal data processed; relevant IT systems, applications and databases; onward transfers; and issues arising from conflict of laws or vendor management.
   3. Auditors
      1. Audit of the procedures and controls in place to give effect to the commitments made in the Policy will be undertaken by the Data Protection Officer and Privacy Team or external accredited auditors, as applicable. Where audits are carried out by external auditors, at least the following conditions shall be met:
         • Carry out a proper due diligence prior to its selection in order to ensure that the pertinent auditors have the appropriate qualifications and status in order to assist with this exercise; and
         • Put in place an agreement with the same in order to regulate the provision of their services in accordance with applicable regulations
   4. Independence
      1. Individuals in charge of deciding on the audit programme or conducting the audits are guaranteed independence as to the performance of their duties.
   5. Report
      1. On completion of the audit, depending on the nature of the same, the report and findings shall be made available to the Data Protection Officer, to Avature’s Chief Executive Officer, the board of the Liable BCR Member and to the different Group Members where the audit has identified data processing activities that must be reviewed bearing in mind the conclusions of the audit. The audit report will also contain details of any remedial action required, recommendations and timescales for remedial action to be undertaken. Where appropriate, the result may be communicated to Avature Group’s ultimate parent board.
      2. Upon request, Group Members have agreed to provide copies of the results of any audit of the Policy to any competent supervisory authority who will upon receiving the audit results be reminded of their duty of professional secrecy under European data protection laws.
      3. The Data Protection Officer shall have the task of liaising with the competent supervisory authorities for the purpose of providing the information outlined above.

APPENDIX 3

COMPLAINT HANDLING PROCEDURE

1. Introduction
   1. The purpose of this Complaint Handling Procedure is to explain how complaints brought by a data subject whose personal data is processed by Group Members under the Policy are dealt with.
2. How data subjects can bring complaints
   1. All complaints of data subjects made under the Policy, notwithstanding whether a Group Member is collecting and/or using personal data on its own behalf, or on behalf of another Group Member, can be submitted in writing (including via email) to the Data Protection Officer. The Data Protection Officer may be contacted through Avature Group’s online form available here https://www.avature.net/contact-privacy-officer/.
3. Who handles complaints?
   1. The Data Protection Officer, with support of the Privacy Team, will handle all complaints arising under the Policy in respect of the processing of personal data. The Data Protection Officer will liaise with relevant business units to investigate the complaint and will coordinate a response (which shall include information on the actions taken to the complainant).
   2. What is the response time?
      • The Data Protection Officer, with support of the Privacy Team, will acknowledge receipt of a complaint to the data subject concerned within ten (10) working days, investigating and making a substantive response within one (1) calendar month. If, due to the complexity of the complaint or number of requests, a substantive response cannot be given within this period, the Data Protection Officer, with support of the Privacy Team, will advise the complainant of the reason for the delay within one (1) calendar month of receipt of the complaint, and provide a reasonable estimate (not exceeding two (2) further calendar months from the date on which the data subject was notified of the extension) for the timescale within which a response will be provided.
      • If the response time is not met and the reply to the complaint is delayed without any informed reason, the data subject can notify this fact to the Data Protection Officer who will, without undue delay and in any event within ten (10) working days, explain the reasons for such delay and inform the data subject about the actions taken so far. The matter will be referred to Avature’s General Counsel (together with a reasoned report determining the measures to be taken) who will review the case and advise the Data Protection Officer how to solve the issues object of the complaint as soon as possible and in any event within ten (10) working days. In any case, the data subject can also make use of the rights described in Section 3.4 below.
   3. When a complainant disputes a finding or the refusal of a complaint
      • If a complaint is considered justified, the Data Protection Officer will take the necessary actions to solve the issue raised by the data subject and will inform him or her accordingly.
      • If the complainant disputes the response of the Data Protection Officer (including if such response is a refusal to attend the complaint) or any aspect of a finding, and notifies the relevant Group Member accordingly, the matter will be referred to Avature’s General Counsel who will review the case and advise the complainant of his/her decision either to accept the original finding or to substitute a new finding. Avature’s General Counsel will respond to the complainant within one (1) calendar month of the referral. If, due to the complexity of the complaint, a substantive response cannot be given within this period, Avature’s General Counsel will advise the complainant of the reason for the delay within one (1) calendar month of receipt of the referral, and provide a reasonable estimate for the timescale (not exceeding two (2) further calendar months) within which a response will be provided. If the complaint is upheld, Avature’s General Counsel will arrange for any necessary steps to be taken as a consequence.
   4. Data subjects whose personal data is processed in accordance with European data protection law also have the right to: (i) complain to a competent supervisory authority in the Member State in which the alleged infringement took place, or in which the data subject works or habitually resides; (ii) and/or lodge a claim with a court of competent jurisdiction which means in a court in the European country where the Group Member is established or in the European country where the individual resides. These rights will apply whether or not they have first made a complaint to a Group Member.

APPENDIX 4

CO-OPERATION PROCEDURE

1. Introduction
   1. This Co-operation Procedure sets out the way in which Group Members will co-operate with, accept to be audited and inspected, including where necessary, on-site, by the competent supervisory authorities in relation to this Policy; as well as to take into account their advice and abide by their decisions on any issues related to this Policy.
2. Co-operation Procedure
   1. Where required, Group Members will make the appropriate personnel available for dialogue with a supervisory authority in relation to the Policy.
   2. Group Members will actively review and consider:
      1. any decisions made by competent supervisory authorities on any data protection law issues that may affect the Policy; and
      2. the views of the European Data Protection Board, and any successor body as outlined in its published EU guidance on Binding Corporate Rules for controllers.
   3. Upon request, the Data Protection Officer will provide copies of the results of any audit of the Policy pursuant to Appendix 2 to any competent supervisory authority, as well as with any information about the processing operations covered by the Policy, who will upon receiving such information be reminded of their duty of professional secrecy under European data protection laws.
   4. Group Members agree that supervisory authorities may carry out a data protection audit or inspection, including where necessary, on-site, of that Group Member in accordance with Applicable Local Law.
   5. Where any Group Member is located within the jurisdiction of a supervisory authority based in Europe, Group Members acknowledge that any supervisory authority may audit that Group Member for the purpose of reviewing compliance with this Policy, in accordance with the applicable law of the country in which the Group Member is located.
   6. All Group Members agree to be audited by the supervisory authorities in accordance with the applicable audit procedures of such supervisory authorities.
   7. Group Members agree to take into account the advice, and comply with the formal decisions, of, a competent supervisory authority relating to the interpretation and application of this Policy, without prejudice to any right to appeal such formal decisions.
   8. Group Members agree that any dispute related to a competent supervisory authority’s exercise of powers of supervision over this Policy will be resolved by the courts of the Member State where such supervisory authority is located, in accordance with the Member State’s procedural law.

APPENDIX 5

UPDATING PROCEDURE

1. Introduction
   1. This Updating Procedure sets out the way in which the Liable BCR Member will communicate changes to the Policy to the competent supervisory authorities, individuals and to the Group Members bound by the Policy.
   2. Material changes to the Policy
      1. The Liable BCR Member will communicate in advance any material changes to the Policy (i.e. any modification that would possibly be detrimental to the level of protection offered by the Policy or significantly affect the Policy –e.g. changes to its binding character–, etc.) to the Spanish Data Protection Agency (the “BCR Lead”) without undue delay and, via the BCR Lead, to any other relevant supervisory authorities. Such communication shall include a brief explanation of the reasons for the update. The relevant supervisory authority will also assess whether the changes made require a new approval.
   3. Administrative changes to the Policy
      1. The Liable BCR Member will communicate to the BCR Lead and via the BCR Lead to other supervisory authorities concerned when requested or at least once a year changes to the Policy (or lack of them). This annual update will also include the renewal of the confirmation regarding the Liable BCR Member having sufficient assets, or having made appropriate arrangements to enable itself to pay compensation for damages resulting from a breach of the Policy.
      2. Examples of the abovementioned changes that may arise include those that are administrative in nature (including updates to the list of Group Members); have occurred as a result of a change of applicable European data protection law; or resulting from any legislative, court decision or supervisory authority measure. The Liable BCR Member will also provide a brief explanation to the BCR Lead and to any other relevant supervisory authorities of the reasons for any notified changes to the Policy.
   4. Communicating and logging changes to the Policy
      1. The Policy contains a change log which sets out the date of revisions to the Policy and the details of any revisions made. The Data Protection Officer (together with the Privacy Team) will maintain an up-to-date list of the changes made to the Policy and provide the necessary information to the supervisory authorities upon request.
      2. The Liable BCR Member will communicate all changes to the Policy, whether administrative or material in nature:
         • to the Group Members bound by the Policy, without undue delay and publish an updated version of this Policy on the Avature wiki website https://wiki.xcade.net/wiki/Policies,_Guidelines,_Agreements_%26_Certifications;
         • systematically to the data subjects who benefit from the Policy, via the Avature website www.avature.net/legal; and
         • to the supervisory authorities upon request, or via the competent supervisory authorities, as applicable.
      3. The Data Protection Officer (together with the Privacy Team) will maintain an up-to-date list of the changes made to the Policy (including a copy of all versions of the same) and the list of Group Members bound by the Policy. The list of Group Members and any updates to the Policy will be available to and accessible by the data subjects and competent supervisory authorities.
   5. New Group Members
      1. The Data Protection Officer (together with the Privacy Team) will ensure that all new Group Members are effectively bound by, and can deliver compliance with the Policy before carrying out a transfer of personal data to Group Members.